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(57) An License Agent (LA), or a license chip having 
the same function as the License Agent, is disposed in 
a Personal Computer (12), a content distribution server 
(10), and a medium attached to a Private Device or Port- 
able Device (14) that use a license for electronic data. 
A content and electronic data are encrypted corre- 
sponding to a license. The encrypted content and elec- 
tronic data are distributed between the various devices. 
However, the license is distributed between the License 
Agents as safe communication means. Thus, the li- 
cense can be correctly managed and transferred. 
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Description 

[0001] The present invention relates to a system that 
allows a license for a digital content and so forth to be 
securely transmitted and transferred under an offline en- 5 
vironment. 

[0002] Nowadays, the Internet and computers are be- 
coming popularized and advanced. Besides program 
files, network sales of music data files and video data 
files and so forth are started. However, since these files *o 
are electronic data, once they are downloaded, they can 
be easily copied. Thus, their copyrights and related 
rights will be easily infringed. To solve such a problem, 
it is desired to accomplish a system for distributing and 
managing licenses for these electronic files. 15 
[0003] The technologies that have been disclosed for 
solving such a problem have the following disadvantag- 
es. 

[0004] Once copyrighted electronic data is distributed 
between users, the transmission side has no means for 20 
controlling the access for the copyrighted electronic da- 
ta. 

- Distribution of NDA document between companies 

25 

[0005] Even if an electronic document is distributed to 
a particular person of a company who has contracted 
for NDA (Non Disclosure Agreement), there is a possi- 
bility of which the electronic document is copied and/or 
printed and distributed to other people who have not 30 
contracted for the NDA. 

- Distribution of material -under- review in company 

[0006] When a material under review is distributed to 35 
only a concerned group, the material will be copied and/ 
or printed. As a result, the material will be distributed to 
other members. Thus, there is a possibility of which the 
information will be leaked out to the outside of the com- 
pany. 40 
[0007] Thus, it is necessary to provide a function that 
allows the creator of electronic data to affect his or her 
will to affect the access control after the electronic data 
has been transmitted. 

[0008] In prior art, as cou n term easu res against such 4 $ 
a problem, a dedicated data transferring system as 
shown in Fig. 1 is used. 

[0009] Fig. 1 is a schematic diagram showing the 
structure of the conventional dedicated data transferring 
system for managing licenses. 50 
[0010] In Fig. 1, a PC (Personal Computer: user ter- 
minal unit) of a content transmission side of a content 
uses a dedicated data transferring client unit so as to 
perform a transferring process for the content to be 
transferred. The PC transmits the processed content to 55 
a dedicated server corresponding to a secret protection 
transferring system. A PC of another user (user 1 ) that 
receives the content has a dedicated client unit. The PC 



of the user 1 receives the content from the dedicated 
server corresponding to the dedicated secret protection 
transferring system. After the PC performs the transfer- 
ring process for the received content, the content is 
stored in a local hard disk or the like so that the user 1 
can reference the received content. 
[001 1 ] When the user 1 tries to transfer the content to 
another user 2, the user 1 transfers the content to the 
dedicated server corresponding to the dedicated secret 
protection transferring system uses a transfer process- 
ing function of the dedicated client unit. The user 2 
downloads the content from the dedicated server to a 
dedicated client unit corresponding to the dedicated se- 
cret protection transferring system. 
[0012] The system shown in Fig. 1 has the following 
problems. 

1 ) When electronic data is transferred, the dedicat- 
ed client units should be used. Thus, electronic data 
should be transmitted corresponding to the specifi- 
cations of the dedicated client units (for example, 
electronic data cannot be transmitted and received 
using application programs of the users.) 

In addition, when electronic data is transmitted, 
the dedicated server should be used. Thus, for ex- 
ample, to allow electronic data to be transmitted to 
and received from users who are the same number 
of the conventional e-mail users, it is necessary to 
dispose the same number of dedicated servers as 
mail servers. However, it is not practical. 

2) Since the access control is limited to the PCs, a 
user cannot store the received electronic data to a 
portable record medium and reference the electron- 
ic data with another PC. 

3) The referencing function of electronic data is not 
protected at all. Thus, electronic data can be easily 
retrieved from a memory or a swap area. Conse- 
quently, it cannot be said that the system is suitable 
for transmitting important confidential data. 

[0013] In addition, when a license for a pay content is 
transferred between users, it was pointed out that the 
following problems will take place. 
[001 4] Although services for distributing pay contents 
through the Internet, cellular phone networks (including 
PHS (Personal Handy -phone System) network), and so 
forth have been started. In such services, the user 
should buy a license of a pay content through such a 
service. Thus, the user cannot transfer the license that 
he or she bought to another user unless the content and 
the license are illegally copied. As a result, the license 
distribution channels on the networks are very limited. 
From a view point of a seller of a pay content, it is inev- 
itable to lose the following opportunities. 

A user cannot transfer his or hear license for a pay 
content to another user. 

When a user buys a license for a pay content as a 
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trial, he or she cannot have his or her acquaintances 
use the pay content (if they are satisfied with the 
pay content, they will buy it). 

[0015] So far, solutions against such problems have 
not been considered. In other words, in conventional 
services, contents are illegally copied. Thus, such prob- 
lems disturbed the distribution of pay contents on net- 
works. 

- Multicast of pay contents 

[0016] In a conventional pay content multicasting sys- 
tem, the content transmission side and the content re- 
ception side share a unique secret key of the content 
reception side. The content transmission side transmits 
a license and a content in such a manner that the license 
has been encrypted by the secret key and that the con- 
tent has been encrypted by the license. The content 
transmission side stores the unique secret key of the 
content reception in a TRM (Tamper Resistant Module) 
area of an IC card or the like and supplies the IC card 
or the like to the user. Thus, the user cannot extract the 
secret key from the IC card or the like. 
[0017] The content transmission side places an en- 
crypted license for the content reception side to the en- 
crypted content and transmits the resultant data to the 
content reception side. 

[0018] Fig. 2 is a schematic diagram showing a mech- 
anism of a conventional pay content multicasting sys- 
tem. 

[0019] The transmission side scrambles a content 
with a scramble key and uses the scrambled content as 
an encrypted content. In addition, the transmission side 
encrypts the scramble key with a license. The transmis- 
sion side encrypts the license with secret keys 1 , 2, .... 
and n and obtains encrypted licenses 1,2, n, respec- 
tively. The transmission side transmits as transmission 
data the encrypted content, encrypted scramble key, 
and the encrypted licenses 1 to n . The transmission side 
multi-casts the transmission data through the Internet 
or a satellite broadcast using a broadcast satellite (BS) 
or a communication satellite (CS). 
[0020] A receiving unit has a built-in IC card. Using 
the IC card : the receiving unit decrypts the received en- 
crypted license i with the secret key i, obtains the li- 
cense, decrypts the received encrypted scramble key 
with the obtained license, and obtains the scramble key. 
Thereafter, the receiving unit descrambles the received 
encrypted content with the scramble key and obtains the 
content. 

[0021 ] However, the system using the IC card has the 
following problems. 

1) It is inconvenient for the user to hold the IC card. 

[0022] Unless the user contract with the transmission 
side to issue the IC card and he or she uses it with the 



receiving unit, it cannot receive a broadcast. In addition, 
the user should have IC cards corresponding to con- 
tracted distributors (broadcasting stations and so forth) 
(because each IC card stores a secret key shared by 
5 the corresponding distributor). Thus, it is very inconven- 
ient for the user. 

2) Problem about compatibility (the case of which an IC 
card is not used) 

w 

[0023] When an IC card stores a secret key, if the 
specifications of IC cards of the distributors are stand- 
ardized), one receiving unit can receive transmission 
data from a plurality of distributors (although IC cards 
15 corresponding to the number of distributors are re- 
quired). 

[0024] When no IC card is used, a secret key is shared 
by the receiving unit and the transmission side. Thus, it 
is impractical to receive contents from a plurality of dis- 

20 tributors with one receiving unit. 

[0025] An object of the present invention is to provide 
a license transmitting and distributing system that allows 
a license for electronic data to be formed in an offline 
license so that the user can conveniently use the license 

25 while the security thereof is maintained. 

[0026] The system according to the present invention 
is a system for transmitting and distributing a license of 
a content such as electric documents between users, 
and a information terminal storing the license compris- 

30 es: a license agent unit, located in TRM area, generating 
and storing an offline license, storing an encrypted con- 
tent in the first storing unit, holding and updating a gen- 
eration log for each offline license, the first storing unit 
storing the encrypted content, and the second storing 

35 unit storing the generation log, wherein the license of 
the contents is transmitted and distributed by communi- 
cating the offline license only between the license agent 
units of a plurality of the information terminals. 
[0027] The method according to the present invention 

40 is a method for transmitting and distributing a license of 
a content such as electric documents between users, 
and a method in a information terminal storing the li- 
cense comprises: managing an offline license using a 
license agent unit, located in TRM area, generating and 

45 storing an offline license, storing an encrypted content 
in the first storing unit, holding and updating a genera- 
tion log for each offline license, the first storing step stor- 
ing the encrypted content, and the second storing step 
storing the generation log, wherein the license of the 

50 contents is transmitted and distributed by communicat- 
ing the offline license only between the license agent 
units of a plurality of the information terminals. 
[0028] According to the present invention, the license 
agent manages licenses distributed off line. Licenses 

55 can be transferred between the license agents. As a re- 
sult, offline licenses that are secured can be transmitted 
and transferred. 

[0029] These and other objects, features and advan- 
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tages of the present invention will become more appar- 
ent in light of the following detailed description of a best 
mode embodiment thereof, as illustrated in the accom- 
panying drawings, in which: 

5 

Fig. 1 is a schematic diagram showing a conven- 
tional dedicated data transferring system for man- 
aging licenses; 

Fig. 2 is a schematic diagram showing a mechanism 
of a conventional pay content multicasting system; 10 
Fig. 3 is a schematic diagram showing the overall 
structure of an embodiment of the present inven- 
tion; 

Fig. 4 is a schematic diagram for explaining a func- 
tion of an LA (No. 1): '5 
Fig. 5 is a schematic diagram for explaining a func- 
tion of the LA (No. 2); 

Fig. 6 is a schematic diagram showing an outline of 
the structure of an offline license; 

Fig. 7 is a schematic diagram for explaining the gen- 20 
eration of an offline license and encrypted data; 
Fig. 8 is a schematic diagram showing the structure 
of a record of a license management database; 
Fig. 9 is a schematic diagram showing a process 
for generating an offline license (making offline li- 25 
cense); 

Fig. 10 is a schematic diagram showing the struc- 
ture of a record of an LRL (License Revocation List) 
control database; 

Fig. 11 is a flow chart for explaining an offline license 30 
generating process (No. 1): 

Fig. 12 is a flow chart for explaining an offline li- 
cense generating process (No. 2); 
Fig. 1 3 is a schematic diagram for explaining an of- 
fline license storing process (making online li- 35 
cense); 

Fig. 14 is a flow chart showing an offline license 
storing process; 

Fig. 15 is a schematic diagram showing an outline 
of an electronic document distribution using an of- 40 
fline license; 

Fig. 1 6 is a schematic diagram showing an example 
of which an offline license is applied to a multicast 
(broadcast) (No. 1 ); 

Fig. 1 7 is a schematic diagram showing an example 45 
of which an offline license is applied to the multicast 
(broadcast) (No. 2); and 

Fig. 1 8 is a schematic diagram showing a hardware 
environment of a computer necessary for accom- 
plishing the embodiment of the present invention by so 
a program. 

[0030] In the following description, a function for en- 
crypting a license stored in a TRM area with both a pub- 
lic key of the reception side and a session key in such 55 
a manner that a third party cannot obtain the license and 
obtaining the encrypted license in the form of a conven- 
tional electronic file is referred to as offline license for 



encrypted file. 

[0031] The TRM area stands for Tamper Resistant 
Module area. This area is an area for preventing data 
stored therein from being read from the outside. The de- 
tail will be described later. 

[0032] In the following description, an offline license 
generation log for all offline licenses of each license is 
generated. An offline license generation log used to pre- 
vent a license that has been transferred from being 
stored again is referred to as LRL (License Revocation 
List). 

[0033] Next, an embodiment of the present invention 
will be described. 

- Introduction of offline license 

[0034] As prior art of a license transferring system, 
USAC-MB is known. 

[0035] In the UDAC-MB, a license is stored in the 
TRM area. When a license is transferred between the 
TRM areas, a secure connection prescribed in the 
UDAC-MB protocol is used. 

[0036] According to the license transfer protocol pre- 
scribed in the UDAC-MB, it is necessary to transmit and 
receive several messages between the transfer side 
and the reception side. Thus, a license can be trans- 
ferred only in online real time bidirectional communica- 
tion environment. Thus, the license transferring system 
corresponding to the protocol is not suitable in the fol- 
lowing cases: 

Regular electronic data (such as a word document) 

is transmitted between users. 

A license for a pay content is transferred between 

users. 

Data is normally transferred between users off 
line. It is impractical to force users to make real time 
communications on line (since this method is incon- 
venient for users, it will not be popularized). 
A pay content and a license are sold in pair with a 
record medium (such as CD). 

When a license is sold on line, a distributing 
system corresponding to the UDAC-MB or a porta- 
ble record medium corresponding to the UDAC-MB 
is essential. 

A content is multicast (for example, a broadcast, 
etc.). 

[0037] The transmission side one-sidedly transmits a 
content. The reception side one-sidedly receives a- 
transmitted content. 

[0038] When a license can be transferred between 
the TRMs, the license can be attached to electronic data 
and a pay content that is transferred in the off line envi- 
ronment. In addition, a license can be attached to one- 
way communication data such as a broadcast. Herein- 
after, this license is referred to as offline license. (On the 
other hand, a license prescribed in the UDAC-MB is re- 
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ferred to as online license). 

[0039] Online: A system that can completely transfer 
and distribute a license in one communication connec- 
tion (such as socket). 

[0040] Offline: A system that can transfer and distrib- 
ute a license without a connection between the trans- 
mission side and the reception side. In other words, a 
license can be distributed as regular electronic data on 
a network or with a regular portable record medium. 
[0041] Although an online license can be transferred 
with a portable record medium corresponding to the 
UDAC-MB, the online license cannot be handled in the 
format of regular electronic data. 
[0042] Fig. 3 is a schematic diagram showing the 
overall structure of an embodiment of the present inven- 
tion. 

[0043] Fig. 3 shows the distributions of an offline li- 
cense that has been generated and a content. 
[0044] It is assumed that an LA (Licensor Agent or a 
license chip that is a chip of the LA) is disposed in each 
PC, a content distributing server, and a medium at- 
tached to a PD (Private Device or Portable Device). The 
LA will be described later. 

[0045] With the LA of a content distributing server 1 0, 
a license for a content is transmitted. An encrypted con- 
tent is stored to a record medium such as a hard disk of 
the content distributing server 1 0. The content distribut- 
ing server 1 0 transmits the license for the content to the 
LA of a PC 11 . In addition, the content distributing server 

10 transmits the encrypted content to a record medium 
of the PC 1 1 . A content reproducing application program 
of the PC 1 1 causes a decoder disposed in a TRM area 
to decrypt the encrypted content stored in the record 
medium using the license for the content received by 
the LA and reproduces the decrypted content. When the 
PC 11 receives electronic data such as an electronic 
document from a PC 12, the LA of the PC 11 receives 
a license for the electronic data from the LA of the PC 
12. In addition, the PC 11 receives encrypted electronic 
data from the PC 12 and stores the received encrypted 
electronic data to the record medium. Thereafter, the PC 

11 performs a TRM area installing process of an elec- 
tronic data processing application program for the li- 
cense for the electronic data and decrypts the encrypted 
electronic data with the license for the electronic data. 
The process for the license forthe electronic data serves 
to check the control of the access and so forth. The LA 
of the PC 1 1 and the decoder of the content reproduction 
application program or the TRM area installing process 
of the electronic data process application program are 
communicated corresponding to the UDAC-MB proto- 
col. Since the UDAC-MB protocol is known, although the 
description will be omitted, the details are described in 
Japanese patent application documents listed at the 
end of the section "Description of Preferred Embodi- 
ment". 

[0046] When the encrypted content and the encrypted 
electronic data are moved from the PC 11 to a record 



medium 13 and the record medium 13 is attached to a 
PD 1 4, the PD 1 4 can use the content and the electronic 
data. In this case, the license chip is disposed on the 
record medium 13. Although the encrypted content and 

5 the encrypted electronic data can be normally moved or 
copied, the license for the content and the license for 
the electronic data are stored to the license chip dis- 
posed in the TRM area corresponding to the UDAC-MB 
protocol. The PD 14 decodes the encrypted content and 

10 the encrypted electronic data stored on the record me- 
dium 1 3 with the license for the content and the license 
for the electronic data obtained from the license chip 
corresponding to the UDAC-MB protocol. The decoder 
of the PD 14 is disposed in the TRM area. Thus, when 

1 5 the encrypted content and the encrypted electronic data 
are stored to the record medium 13, a licensed content 
can be distributed off line. 

[0047] In Fig. 3, a content such as music data and 
electronic data such as an electronic document are sep- 
20 arately described , they are substantially electronic files. 
Thus, in the following description, electronic data and a 
content are not distinguished, but used with the almost 
same meaning. 

[0048] Figs. 4 and 5 are schematic diagrams for ex- 

25 plaining a function of the LA. 

[0049] A license - encrypted data generating function 
portion of the LA inputs electronic data (content), a con- 
tent ID, and an access condition. The license - encrypt- 
ed data generating function portion requests an elec- 

30 tronic data encrypting process portion to perform an en- 
crypting process for the electronic data. The license - 
encrypted data generating function portion requests a 
license generating process portion to perform a gener- 
ating process for a license. The license generating proc- 

35 ess portion requests a transaction ID assigning process 
portion of a transaction ID controlling portion to assign 
a unique transaction number for the license. As a result, 
the license - encrypted data generating function portion 
outputs encrypted data. 

40 [0050] An offline license generating function portion 
inputs a reception side LA, an individual public key cer- 
tificate, a content ID, and a transaction ID. The offline 
license generating function portion requests a license 
controlling portion and an LRL controlling portion to 

45 check and search for a license. When an offline license 
has been permitted, an offline transaction ID assigning 
process portion of an offline transaction ID controlling 
portion assigns a unique transaction ID for an offline li- 
cense a record is deleted from the license controlling 

so portion . A record is added to the LRL controlling portion. 
As a result, an offline license is registered. After the of- 
fline license has been encrypted, the encrypted offline 
license is issued. 

[0051] An offline license storing function portion in- 
55 puts an offline license and performs a decrypting proc- 
ess for the offline license. The offline license storing 
function portion requests the license controlling portion 
and the LRL controlling portion to search for a record. 
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When a record is obtained and the license is permitted, 
the record is deleted from the LRL controlling portion. A 
record is added to the license controlling portion . At that 
point, when the license controlling portion and the LRL 
controlling portion access a license management data- 5 
base and an LRL control database, respectively, the li- 
cense controlling portion and the LRL controlling portion 
encrypt data and store those encrypted data into a 
DBMS (Database Management System). 
[0052] In Fig. 5, a license searching function portion io 
inputs a content ID. The license searching function por- 
tion requests a license controlling portion to search for 
a record with the content ID. In addition, the license 
searching function portion requests an LRL controlling 
portion to search for a record with the content ID. As a '5 
result, the license searching function portion obtains a 
transaction ID and an access condition. 
[0053] Fig. 6 is a schematic diagram showing an out- 
line of the structure of an offline license. 
[0054] In Fig. 6, an offline license is composed of the 20 
following parts that are prescribed as follows. 
[0055] Part 1: Session key encrypted by individual 
public key of LA of reception side 

[0056] Part 2: The following data have been encrypt- 
ed with session key. 25 

Subject name of individual public key certificate of 
LA of generation side (transmission side) of offline 
license 

Offline license transaction ID 30 

Assigned by LA of generation side (transmis- 
sion side) of offline license 
License (online license) 
Access condition in TRM of reception side 

Number of times of (period for) which offline li- 35 
cense can be moved 
Others 

Access condition in TRM of content reproduction - 
electronic data processing system 

40 

[0057] Part 3: Digital signature with class secret key 
of LA of generation side (transmission side) of offline 
license 

[0058] Part 4: Individual public key certificate of LA of 
generation side (transmission side) of offline license 45 
[0059] Part 5: Class public key certificate of LA of gen- 
eration side (transmission side) of offline license 
[0060] Next, UDAC-Pl (Protocol Independent) that is 
a modification of the UDAC-MB/LB and that is used to 
handle an offline license according to the embodiment s° 
of the present invention will be described. 
[0061] Preconditions: 



a) The license distribution side has a pair of an in- 
dividual public key KPr and a secret key Kr. 

b) In addition, the license distribution side has a cer- 
tificate C (Kcr, KPr I Ir) of the KPr signed with a class 
secret key Kcr. 



55 



c) In addition, the license distribution side has a cer- 
tificate C (Kar, KPcr II lar) of a KPcr signed with a 
route secret key Kar. 

d) The license reception side is a record medium, a 
license chip, or the TRM of an LA. 

e) The TRM has a pair of an individual public key 
KPt and a secret key Kt. 

f) The individual public key KPt is published as a 
certificate signed with a class secret key Kct. 

g) A class public key KPct is published as a certifi- 
cate signed with the route secret key Kat. 

h) When there is no problem about risk, the authen- 
tication station for the Kar may be the same as the 
authentication station for the Kat. In addition, the 
Kar may be the same as the Kat. 

[0062] When all certificates are searchable with LDAP 
(Lightweight Directory Access Protocol), users can be 
more easily handled. 

- Basic procedure 

[0063] 

(1 ) The distribution side obtains a certificate of the 
KPt of the TRM of the reception side using a means 
such as the LDAP. 

(2) The certificate of the KPt is checked with the 
KPct. The certificate of the KPct is checked with the 
KPat. 

(3) The distribution side generates an offline license 
in the following format. 

E (KPt, Ks) II E (Ks, SNr II Transaction ID II Kc 
H ACt II ACp II Is) II E (Kcr, H (all plain text) II C (Kcr, 
KPr II Ir) IIC (Kar, KPcr II lar) 
where 

Ks: session key 

SNr: subject name of certificate of individual 
public key KPr of distribution side 
Transaction ID: License serial number. The dis- 
tribution side generates a unique number for 
each license. 
Kc: content key 

ACt: access condition in TRM of reception side. 

The format of the ACt is the same as the format 

of the ACm. Alternatively, the format of the ACt 

is an extended format of the ACm. 

ACp: access condition in TRM of reproducing 

system 

Is. other information 
H (x): hash value of x 

C (Kx, KPy): certificate of which the public key 
KPy is signed with the secret key Kx. 
II : meaning that the left side and the right side 
are simply connected. 

(4) The distribution side transmits a license and an 
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encrypted content to the TRM of the reception side. 

(5) The license is decrypted in the TRM of the re- 
ception side. The validity of the license is checked 
with the hash and the certificate. 

(6) It is checked whether or not the SNr and the 
transaction ID are in a license revocation list (LRL) 
in the TRM of the reception side. When they are in 
the LRL, the process is terminated. 

(7) The license is stored to a license entry in the 
TRM of the reception side. 

(8) The protocols and procedures for moving the li- 
cense and reproducing the content are same as 
those of the UD AC -MB/LB (refer to the description 
in the Japanese patent application documents list- 
ed in the section "Description of Preferred Embod- 
iment"). 

[0064] The generation of an offline license with an on- 
line license (making offline license) and the storage of 
an offline license (making online license) are accom- 
plished by the function of the LA (Licensor Agent). In 
other words, an offline license is transferred between 
the LAs. 

[0065] The related functions of the offline license of 
the LA are as follows: 

Function for obtaining license information (content 
ID, transaction ID, access condition, ... etc.) 

Obtain all license information. 

Obtain all license information with respect to 
the relevant content ID. 
Function for generating offline license. 

Generate an offline license with an individual 
public key certificate of the LA of the reception side 
and an online license (content ID and transaction 
ID). 

Store an offline license. 

Store a designated offline license to the license 
management database of the LA so as to generate 
an online license. 

TRM area installing process using content repro- 
ducing application program and electronic data 
processing application program 

The content reproducing application and the 
electronic data processing application cause a se- 
quence of processes (UDAC-MB protocol installing 
process portion) to be installed to the TRM area. 
Function for obtaining an online license from LA (or 
license chip) (corresponding to the UDAC-MB pro- 
tocol). 

Fu notion for decrypting encrypted content data with 
an online license. 

Function for reproducing a content and processing 
data 

- Various types of public key certificates 

[0066] A secret key, a class public key certificate, an 



authenticated station route public key certificate corre- 
sponding to an individual public key certificate of the LA 
are placed in a product (package) by the producer so 
that they are expanded in the TRM area. In addition, the 
5 LA has a function for outputting its individual public key 
certificate. 

[0067] When the user sends an individual public key 
certificate of his or her LA to the transmission side of the 
offline license, the certificate is obtained using that func- 
w tion. 

[0068] Next, conventional technologies used in the 
embodiment of the present invention will be described. 

TRM (Tamper Resistant Module) 

15 

[0069] A technology that prevents a process being 
performed and data being processed from being ex- 
tracted and/or inferred from the outside. In addition, 
TRM means a semiconductor chip or a program that us- 

20 es such a technology. 

[0070] A semiconductor chip that uses the TRM tech- 
nology is referred to as hardware TRM. In contrast, a 
program that uses the TRM technology is referred to as 
software TRM. According to the embodiment of the 

25 present invention, any of the hardware TRM and the 
software TRM can be used. 

1) Hardware TRM 

30 [0071] The hardware TRM can be accomplished by 
the following technology. 

Prohibit secret information from being read and re- 
written from an external terminal. The controlling 
35 firmware, log information, access control informa- 
tion, and so forth are formed so that they cannot be 
written. 

Sealed by metal layer, special coating, and mesh 
sensor 

40 - Use an ultra fine structure. 

2) Software TRM 

[0072] The software TRM is accomplished by the fol- 
45 lowing technologies: 

Separate an area for a program process from data 
area and disperse them in memory so as to prevent 
data from being analyzed. 
so - Encrypt a load module. Decrypt the load module on- 
ly when it is executed. 

Vary the mapped structure of the program in the 
memory space. 

55 [0073] Next, the embodiment of the present invention 
will be further described. 

[0074] Fig. 7 is a schematic diagram for explaining the 
generation of a new license and encrypted data. 



50 



35 



40 



7 



BNSDOCID: <EP _1286243A2_I_> 



13 



EP 1 286 243 A2 



14 



[0075] When the PC of the transmission side or the 
distribution server receives a content !D, an access con- 
dition, and so forth with the license controlling portion of 
the LA, the transaction ID controlling portion assigns a 
transaction ID to a license. The license is stored to the 
license management database. The electronic data en- 
crypting/decrypting function portion uses the license to 
encrypt electronic data. 

- License management database 

[0076] A database that stores a license. In reality, the 
license management database may be a DBMS (Data- 
base Management System) or a file. 
[0077] Fig. 8 is a schematic diagram showing the 
structure of a record of the license management data- 
base. 

Description of each field 

- Time stamp 1 and time stamp 2 

[0078] Time stamps placed when a record is generat- 
ed. The LA determines whether or not the time stamp 1 
matches the time stamp 2. When they match, the LA 
determines that the records has been stored to the file. 
In reality, when the license management database is 
composed of a DBMS, since the admissity of the data- 
base is assured by the DBMS, these time stamps are 
omissible. 

- Content ID 

[0079] A content ID of a content corresponding to a 
license. 



- Offline transaction ID 1 

[0084] When a license is transmitted to the relevant 
LA in the form of an offline license, an offline transaction 

5 ID assigned by the LA of the generation side of the of- 
fline license is stored in this field. The offline transaction 
ID is a unique number assigned by the LA of the gener- 
ation side of the offline license. An offline license can be 
uniquely identified with the subject name of the public 

io key certificate of transmission side and the offline trans- 
action ID. When a license is transmitted corresponding 
to the UDAC-MB protocol (on line), this field is zero 
cleared. 

[0085] Fig. 9 is a schematic diagram showing a proc- 
'5 ess for generating an offline license (making offline li- 
cense). 

[0086] In the PC of the transmission side / the distri- 
bution server, a content ID and a transaction ID are input 
to the LRL controlling portion and the license controlling 

20 portion of the LA. The LRL controlling portion references 
the LRL control database. The license controlling por- 
tion references a license of the license management da- 
tabase. The LRL controlling portion performs the proc- 
ess in communication with the license controlling por- 

25 tion. The processed result of the license controlling por- 
tion is supplied to the LRL controlling portion. In addi- 
tion, the transaction ID is supplied from the offline trans- 
action ID controlling portion to the LRL controlling por- 
tion. Moreover, a license encrypting request is sent from 

30 the LRL controlling portion to the offline license encryp- 
tion/decryption controlling portion. The offline license 
encryption/decryption controlling portion outputs an en- 
crypted offline license. 

35 - Offline transaction ID controlling portion 



■ Transaction ID 

[0080] A transaction ID contained in a license. 
[0081 ] A license can be uniquely identified with a con- 
tent ID and a transaction ID. 

♦ Encryption license 

[0082] A license that has been encrypted. A license 
is encrypted with a secret key of the LA. (For example, 
T-DES is used.) A secret key of the LA is stored in the 
TRM area so that the secret key cannot be accessed by 
other people. 

- Subject name of public key certificate of transmission 
side 



[0087] Now, it is assumed that an LA of a particular 
PC (hereinafter, the LA is referred to as LA 1 ) generates 
an offline license so as to transfer a license and that the 

40 offline license is finally returned to the LA 1 . When a li- 
cense that has been transferred from the LA 1 is mis- 
takenly or illegally tried to be stored to the LA 1 , the li- 
cense should be prevented from being stored to the LA 
1 . However, since the license may be legally tried to be 

45 returned to the LA 1 , it is improper to unconditionally 
remove the license. 

[0088] To allow such a license to be distinguished, 
when an offline license is generated, the offline transac- 
tion ID controlling portion newly assigns a unique ID in 
50 the LA. 

- LRL (License revocation List) controlling portion 



[0083] A subject name of a public key certificate of an 
LA of a transmission side that transmits an offline li- 
cense. When a license is transmitted corresponding to 
the UDAC-MB protocol (on line), this field is zero 
cleared. 



[0089] When an offline license is generated, the li- 
55 cense in the LA is removed (deleted). In this case, to 
prevent the same license from being stored to the LA, 
license information (subject name of individual public 
key certificate of transmission side, offline license ID, 
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and so forth) that represents that the offline license has 
been generated is stored and managed. 
[0090] To distribute a license, the distribution server 
generates an offline license. In this case, the distribution 
server does not receive any offline license. Thus, gen- 
erally, the distribution server need not have the LRL con- 
trolling portion. 

[0091] Fig. 10 is a schematic diagram showing fields 
of a record of the LRL (License Revocation List) control 
database. 

[0092] The fields of a record of the LRL control data- 
base are the same as those of the license management 
database except for the following fields. 
[0093] Subject name of public key certificate of recep- 
tion side: 

[0094] A subject name of a public key certificate of an 
LA of the reception side when the LA generates an of- 
fline license. 

Offline transaction ID 2: 

[0095] An offline transaction ID assigned when the LA 
generates an offline license. 

Latest flag: 

[0096] A flag that represents the latest generated of- 
fline license corresponding to each license (online li- 
cense). 

On: Latest Off: Not latest 

[0097] When an offline license is generated again, in- 
formation of a record whose latest flag field is ON is 
used. 

- Input parameters 
[0098] 

Individual public key certificate of LA of reception 
side 

Content ID 
Transaction ID 

[0099] The user pre-obtains a content ID and a trans- 
action ID of a license with which an offline license is gen- 
erated using the license displaying function portion. 
[0100] However, information about a product corre- 
sponding to a license may be managed by a dedicated 
tool or by the user. 

[0101] Fig. 11 and Fig. 12 are flow charts for explain- 
ing the operation of the LA. 

[0102] At step S1. the command controlling portion 
activates the offline license generating function. At step 
S2, a serializing process (suppressing the load module 
from being dually activated, performing a semaphore 
operation, and so forth) is performed. At step S3, the 



validity of the individual public key certificate of the LA 
of the reception side is checked. 

[0103] Thereafter, at step S4, the LRL controlling por- 
tion searches the LRL control database with the follow- 
5 ing keys. 

Content ID = input parameter 
Transaction ID = input parameter 
Latest flag = ON 

w 

[0104] When a license whose latest flag is ON is not 
stored in the database, the license controlling portion 
searches the license management database with the 
following keys (at step S5). 

15 

Content ID 
Transaction ID 

[0105] When the searched result represents that the 
20 corresponding license is not stored in the license man- 
agement database, the license controlling portion per- 
forms an error process. Thereafter, the flow advances 
to step S21 . When the searched result represents that 
the corresponding license is stored in the license man- 
25 agement database, the offline transaction ID controlling 
portion assigns an offline transaction ID (at step S6). At 
step S7, the LRL controlling portion generates^ record 
of the LRL control database with the value of the record 
obtained as the searched result at step S5, the.value of 
30 the input parameter, and the offline transaction ID, sets 
the latest flag of the record to ON, and stores the record 
to the LRL control database. At step S8, the license con- 
trolling portion deletes the record obtained as the 
searched result at step S5 from the license manage- 
rs ment database. At step S9, the offline license encryp- 
tion/decryption controlling portion generates an offline 
license with the value of the record generated at step 
S7 and the input parameter. Thereafter, the flow advanc- 
es to step S21 . 
40 [0106] When the determined result at step S4 repre- 
sents that there is the corresponding license, the flow 
advances to step S10. At step S10 : the license control- 
ling portion searches the license management database 
with the content ID and the transaction ID used at step 
45 S4. When there is no corresponding license, the flow 
advances to step S11. At step S11, it is determined 
whether or not the subject name of the individual public 
key certificate of the LA of the reception side of the 
record obtained as the searched result at step S4 
50 matches the subject name of the individual public key 
certificate of the reception side of the input parameter. 
When the determined result represents that they do not 
match, an error of which there is no corresponding li- 
cense takes place. Thereafter, the flow advances to step 
55 S21 . When the determined result at step S11 represents 
that they match, the flow advances to step S1 2. At step 
S1 2, the offline license encryption/decryption controlling 
portion generates an offline license with the value of the 
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record obtained as the searched result at step S4 and 
the input parameter and returns the generated offline 
license to the portion that requests it. Thereafter the 
flow advances to step S21 . 

[0107] When the determined result at step S1 0 repre- 5 
sents that there is the corresponding license, the flow 
advances to step S13 shown in Fig. 12. At step S13, it 
is determined whether or not the subject name of the 
individual public key certificate of the transmission side 
of the record obtained as the searched result at step S 1 0 10 
and the offline transaction ID 1 match the respective 
fields of the record obtained as the searched result at 
step S4. When they match, the flow advances to step 
S14. At step S14, it is determined whether or not the 
subject name of the individual public key certificate of 15 
the LA of the reception side of the record obtained as 
the searched result at step S4 matches the subject 
name of the individual public key certificate of the recep- 
tion side of the input parameter. When the determined 
result at step S1 4 represents that they do not match, an 20 
error representing that there is no corresponding license 
takes place. Thereafter, the flow advances to step S21. 
When the determined result at step S14 represents that 
they match, the flow advances to step S1 5. At step S1 5, 
unless the subject name of the individual public key cer- 25 
tificate of the transmission side of the record of the li- 
cense management database obtained as the searched 
result at step S10 is all zero, the license controlling por- 
tion deletes the record. Thereafter, the offline license en- 
cryption/decryption controlling portion generates an of- 20 
fline license with the value of the record obtained as the 
searched result at step S4 and the input parameter and 
returns the generated offline license to the portion that 
requests it. Thereafter, the flow advances to step S21 . 
[0108] When the determined result at step S13 repre- 35 
sents that they do not match, the flow advances to step 
S16. At step S16, the LRL controlling portion turns off 
the value of the latest flag of the record obtained as the 
searched result at step S1 7 of the LRL control database. 
At step S1 7, the offline transaction ID controlling portion 40 
assigns an offline transaction ID. At step S18, the LRL 
controlling portion generates a record of the LRL control 
database with the value of the record obtained as the 
searched result at step S10 and the value of the offline 
transaction ID. The LRL controlling portion stores the 45 
generated record to the LRL control database (sets the 
latest flag to ON) . At step S19, the license controlling 
portion deletes the record of the license management 
database obtained as the searched result at step S10. 
At step S20, the offline license encryption/decryption so 
controlling portion generates an offline license with the 
value of the record generated at step S1 8 and the input 
parameter and returns the offline license to the portion 
that requests it. Thereafter, the flow advances to step 
S21 . 55 
[0109] At step S21 , the serializing process of the LA 
is completed. 

[01 1 0] When there is the corresponding record in the 



license management database at step S5 and step S1 0, 
the encrypted license of the record is decrypted. When 
the values of the content ID and the transaction ID do 
not match the values designated with the search keys, 
it is determined that the license management database 
has been forged. As a result, the process is terminated 
with an error. 

[0111] When there is the corresponding record in the 
LRL control database at step S4, the encrypted license 
of the record is decrypted. When the values of the con- 
tent ID and the transaction ID do not match the values 
designated by the record search keys, it is determined 
that the LRL control database has been forged. As a 
result, the process is terminated with an error. 
[01 12] At step S9. the offline license generating proc- 
ess portion decrypts the encrypted license of the record 
obtained as the searched result at step S5 with a secret 
key in the LA and generates an offline license with the 
decrypted result. 

[0113] At steps S12 and S15, the offline license gen- 
erating process portion decrypts the encrypted license 
of the record obtained as the searched result at step S4 
with a secret key in the LA and generates an offline li- 
cense with the decrypted result. 

[0114] At step S20, the offline license generating 
process portion decrypts the encrypted license of the 
record obtained as the searched result at step S10 with 
a secret key in the LA. The offline license generating 
process portion generates an offline license with the de- 
crypted result. 

[0115] Fig. 13 is a schematic diagram for explaining 
a process for storing an offline license (making online 
license). 

- Input parameter 
[0116] Offline license 

- LRL controlling portion 

[0117] When an offline license is stored, the LRL con- 
trolling portion obtains information about an offline li- 
cense that has been generated (subject name of indi- 
vidual public key certificate of transmission side, offline 
license ID, and so forth). The LRL controlling portion de- 
termines whether or not the offline license has been 
stored. When the offline license has been stored to the 
LRL management database, an error takes place. 

- License controlling portion 

[0118] Unless the offline license has been stored to 
the LRL management database, the license controlling 
portion determines whether or not the corresponding li- 
cense (online license) has been registered. The license 
controlling portion searches the license management 
database for the license. When the license manage- 
ment database stores a record of the license corre- 
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sponding to the offline license, an error takes place. 
[0119] Fig. 14 is a flow chart showing a process for 
storing an online license. 

[0120] At step S30, the command controlling portion 
activates the offline license storing function. At step S31 , 
the serializing process (suppressing the load module 
from being dually activated, performing the semaphore 
operation, and so forth) of the LA function is performed. 
[0121] At step S32, the offline license encryption/de- 
cryption controlling portion perform a decrypting proc- 
ess for an offline license. At step S33, the validity of the 
offline license is checked. At step S34, the LRL control- 
ling portion searches the LRL control database with 
keys of the following fields of the offline license decrypt- 
ed at step S32. 

Content ID 
Transaction ID 

Subject name of individual public key certificate of 
LA of transmission side 
Offline transaction ID 1 

[01 22] When the LRL control database stores the cor- 
responding offline license, an error that represents that 
the same offline license has been stored takes place. At 
that point, the flow advances to step S37. 
[0123] When the determined result at step S34 repre- 
sents that the LRL control database does not stores the 
corresponding license, the flow advances to step S35. 
At step S35, the license controlling portion searches the 
license management database with keys of the follow- 
ing fields of the offline license decrypted at step S32. 

Content ID 
Transaction ID 

[0124] When the determined result at step S35 repre- 
sents that license management database stores the cor- 
responding license, an error that represents that the 
same license has been registered takes place. At that 
point, the flow advances to step S37. 
[0125] When the determined result at step S35 repre- 
sents that the license management database does not 
store the corresponding license, the flow advances to 
step S36. At step S36, the license controlling portion 
generates a record of the license management data- 
base with the offline license decrypted at step S32 and 
stores the generated record to the license management 
database- Thereafter, at step S37, the serializing is re- 
leased and the process of the LA function is completed. 
[01 26] When the determined result at step S35 repre- 
sents that the license management database stores the 
corresponding record, the encrypted license of the 
record is decrypted. When the values of the content ID 
and the transaction ID match the values designated by 
the record search keys, it is determined that the license 
management database has been forged. At that point, 
the process is terminated with an error. 



[01 27] When the determined result at step S34 repre- 
sents that the LRL control database stores the corre- 
sponding record, the encrypted license of the record is 
decrypted. When the values of the content ID and the 

5 transaction ID do not match the values designated by 
the record search keys, it is determined that the LRL 
control database has been forged. At that point, the 
process is terminated with an error. 
[01 28] When a record of the license management da- 

10 tabase is generated at step S36, a license of which the 
offline license has been decrypted is encrypted with a 
secret key of the LA. The generated encrypted license 
is embedded in the record. 

[0129] Next, a license searching function will be de- 
15 scribed. 

- Outline of function 

- Obtaining information of all licenses 

20 

[0130] The following information is obtained for all li- 
censes. 

[0131] Content ID, transaction ID, subject name of in- 
dividual public key certificate of transmission side (when 
25 stored with offline license), access condition, data rep- 
resenting whether or not offline license has been gen- 
erated 

[0132] When the offline license has been generated, 
the following information is added. 
30 [0133] Subject name of individual public key certifi- 
cate of reception side 

• Searching for license with content ID 

35 [0134] Information about a license corresponding to 
designated content ID is obtained. The fields of the in- 
formation are the same as those of the above-described 
information. 



[0135] With reference to records of the license man- 
agement database and the LRL control database, the 
information is output. 

45 

1) The records are read from the license manage- 
ment database. 

2) The LRL control database is searched for a 
record whose latest flag is ON and whose fields are 

so the same as those of the record referenced in 1 ). 

Content ID, transaction ID 
When the LRL control database does not store 
the corresponding record, a record of the license 
management database is output. When the LRL 
55 control database stores the corresponding record, 

since the offline license has been generated, addi- 
tional information is output. 

3) The LRL control database is searched for a 



25 



40 - Outline of system 
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record whose latest flag is ON and that does not 
match the record obtained as the searched result in 
2). When the corresponding record is obtained, in- 
formation that represents that the offline license has 
been generated is output. 5 
Consistency with operation of online license 

[0136] When an online license is transferred corre- 
sponding to the UDAC-MB protocol, the LA of the re- 
ception side performs the following process. 10 

1) The LRL control database is searched for a 
record with the following keys. 

Content ID = content ID of offline license 15 
Transaction ID = transaction ID of online li- 
cense 

Latest flag = ON 

When the LRL control database stores the cor- 20 
responding record, the latest flag of the record is 
set to OFF. 

2) The online license is stored to the license control 
database. At that point, the values of the following 
field are cleared to zero. . 25 

Subject name of individual public key certificate 
of LA of transmission side 
Offline transaction ID 1 

30 

[0137] This control the offline license storing function 
portion, and the offline license generating function por- 
tion prevent a license from being unreasonably invali- 
dated and a license from being illegally copied even if 
an offline license and an online license are transferred 35 
at a time and an offline license and an online license are 
generated with one license. 

Countermeasure against destruction of disk area of LA 
(software) *o 

[01 38] When the disk area of the LA is destroyed, the 
user should re-install the LA. However, in this case, if 
the user repeatedly generates an offline license, re-in- 
stalls the LA, stores the offline license, and generates 45 
the offline license, a plurality of licenses are generated 
with one license. 

[0139] To prevent such a situation, whenever the LA 
is installed, a pair of an individual public key certificate 
and a secret key corresponding thereto are changed. so 

The producer of the LA prepares several key spares 
for one user and requests an authentication station 
to issue certificates for the individual public key 
spares. 55 
Before shipping the LA, the producer embeds the 
key spares and the public key certificates to the 
product in such a manner that the user can install 



the LA to the product one time. 
When the user re-installs the LA to the product, he 
or she should request a new package in which a key 
spare has been embedded to the seller (producer) 
and receives the new package from the seller 
through the Internet or the like. 

[0140] Alternatively, using the install program of the 
LA, the user can receive a key pair from the server of 
the producer. In this case, the risk on security becomes 
large. 

[0141] Next, examples of an offline license used for 
the distribution of an electronic document will be de- 
scribed. 

[0142] Conventionally, the UDAC-MB deals with an 
online license. To distribute a license on a network, the 
transferring function should have the UDAC-MB transfer 
protocol. Thus, a license cannot be transferred using a 
commercially available software program. 
[0143] In contrast, an offline license can be trans- 
ferred using a commercially available software program . 
[0144] Fig. 1 5 is a schematic diagram showing an out- 
line of the distribution of an electronic document using 
an offline license. 

[0145] Next, the case that a creator transmits an elec- 
tronic document he or she created and permits the re- 
ception side to reference the electronic document will 
be described. 

(1 ) Transmission side (creator of electronic document): 

[0146] A license and encrypted data are generated 
with the created electronic document through the LCM 
(License Compliant Module). At that point, the creator 
of the electronic document designates access control 
information. 

- License for permitting the reception side to reference 
the electronic document 

[0147] A secret key for decrypting an electronic doc- 
ument. 

[0148] Access control information such as number of 
reference times and number of print times is added to 
the license. 

[01 49] The license is stored in the LA. Unless the TRM 
is destroyed, the license cannot be extracted. 

- Encrypted data 

[01 50] An electronic document that has been encrypt- 
ed with the license. 

[01 51 ] SCDF format (Super Content Distribution For- 
mat) 

(2) Transmission side, reception side: 

[0152] The transmission side receives a public key 
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certificate of an LA from a user of the reception side who 
received an electronic document. 

(3) Transmission side: 

5 

[01 53] With the public key certificate of the reception 
side obtained in (2) and the license generated in (1 ), the 
transmission side generates an offline license using the 
function of the LCM. 

[01 54] An offline license is composed of a license that 10 
has been encrypted with a secret key generated by the 
LA of the transmission side and data of which the secret 
key has been encrypted with a public key of the recep- 
tion side. An offline license can be transferred on a net- 
work. 15 
[0155] However, the attack resistance of an offline li- 
cense can be adjusted by multiplexing keys. In reality, 
the number of keys for the attack resistance are decided 
by concerned people. 

20 

(4) Transmission side, reception side: 

[01 56] The offline license of the transmission side and 
the encrypted data are transmitted to the reception side. 
[01 57] The offline license and the encrypted data can 25 
be transmitted by any means (for example, a network 
or a portable record medium). 

(5) Reception side: 

30 

[0158] The offline license is stored to the TRM area 
using the function of the LCM. 

(6) Reception side: 

35 

[0159] By designating the encrypted data and the li- 
cense corresponding thereto, an electronic document 
processing application program corresponding to the 
UDAC is executed. 

[01 60] The secret key of the LA is stored in the TRM 40 
area. In addition, the offline license is stored in the TRM 
area. Thus, the electronic document transmitted to the 
reception side cannot be copied (unless the TRM is de- 
stroyed or the secret key of the LA is extracted). 
[0161] Fig. 16 and Fig. 17 are schematic diagrams «5 
showing examples of an offline license applied to a mul- 
ticast (broadcast). 

[0162] It is assumed that video/audio data is transmit- 
ted in the MPEG2 format. 

1) When each user contracts with the broadcasting 
company for a subscription, he or she registers 
(sends) an individual public key certificate of the LA 
of a reception tuner to the broadcasting company. 
The LA according to the embodiment is built in the 
tuner. 

2) After the user has contacted with the broadcast- 
ing company for the subscription, he or she turns 



on the power of the tuner 

[0163] Li are offline licenses generated with the indi- 
vidual public key of the LA of the users i. 
[0164] Li (offline licenses) of all the subscribers are 
transmitted with EMM (Entitlement Management Mes- 
sage: qualification information (subscription information 
in the case of a broadcast) at intervals of 1 5 to 30 min- 
utes. In Figs. 16 and 17, ECM (Entitlement Check Mes- 
sage) is a scramble key and a license. 
[0165] In the examples, it is assumed that individual 
subscriber information is added to an offline license and 
that the license management database has an addition- 
al field for individual subscriber information. 
[0166] A pair of a license stored in the license man- 
agement database of the LA and an individual contrac- 
tor information are sent to a decoder corresponding to 
the UDAC-MB protocol. 

[0167] The decoder decrypts the encrypted data re- 
ceived from the tuner with the license and reproduces 
the decrypted data. 

[01 68] The decoder determines whether or not the de- 
crypted data can be reproduced corresponding to pro- 
gram information of a program being received and the 
individual subscription information. 
[0169] In this system, since the broadcasting station 
and the user side (LA) do not share a secret key, a plu- 
rality of broadcast programs (using an offline license 
system) can be received with one tuner Of course, no 
IC card is required. 

[0170] Fig. 18 is aschematic diagram showing a hard- 
ware environment of a computer necessary for accom- 
plishing the embodiment of the present invention with a 
program. 

[0171] A CPU 21 copies a program that has been read 
from a recording unit 27 (such as a hard disk) or a read- 
ing unit 28 connected to a bus 20 and stored in a port- 
able record medium (such as a floppy disk, a CD-ROM, 
or a DVD) to a RAM 23 and executes the program with 
the RAM 23. Alternatively with the program stored in a 
ROM 22, the computer may be used as a dedicated ma- 
chine. In addition, the ROM 22 stores a basic program 
such as BIOS. 

[0172] An input/output unit 30 is a display unit, a key- 
board, a mouse, a template, and so forth. The input/out- 
put unit 30 sends a command of a user to the CPU 21 
and presents a processed result to the user. 
[0173] A communication interface 24 communicates 
with an information provider 26 through a network 25 so 
as to download the program of the information provider 
26 from a record medium. The downloaded program is 
stored to a storing unit 27 or the portable record medium 
29. Alternatively, the program can be executed in a net- 
work environment. 

[0174] When the PC according to the embodiment of 
the present invention is accomplished by a computer, 
the TRM area should be disposed. The TRM area may 
be formed with a program executed by the CPU 21 . Al- 
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ternatively, a TRM chip as hardware may be connected 
to the bus 20 so that the TRM chip dedicatedly performs 
a process for an offline license. 

[01 75] Many Japanese patent applications that relate 
to the UD AC -MB/LB according to the embodiment of the 
present invention have been filed. The UDAC-MB/LB is 
known as KdM standard. Examples of those Japanese 
patent applications are: 

- Japanese Patent Application No. HEI 05-257816 
Japanese Patent Application No. HEI 08-101867 
Japanese Patent Application No. HEI 08-106382 
Japanese Patent Application No. HEI 08-190529 
Japanese Patent Application No. HEI 1 1 -099482 
Japanese Patent Application No. HEI 04-058048 
Japanese Patent Application No. HEI 06-238060 
Japanese Patent Application No. HEI 06-225228 
Japanese Patent Application No. HEI 07-001798 
Japanese Patent Application No. HEI 11-099482 



tion log for each offline license, and storing the 
generation log to the second storing means, 

wherein the offline license is exchanged with 
5 the license agent means of another information ter- 

minal unit so that a license for a content can be 
transmitted or received. 

2. The information terminal unit as set forth in claim 1 , 
w wherein the license agent means is disposed 

in a TRM area. 

3. The information terminal unit as set forth in claim 1 
or 2, 

15 wherein the license agent means has a func- 

tion for encrypting a license stored in the first storing 
means with both a public key of the reception side 
and a session key and extracting the encrypted li- 
cense in a regular electronic file format. 



[0176] According to the present invention, since a li- 
cense of electronic data is formed as an offline license, 
it can be safely transferred to a user of the reception 
side. Thus, electronic data can be suppressed from be- 
ing illegally copied and can be property distributed. 
[0177] Although the present invention has been 
shown and described with respect to a best mode em- 
bodiment thereof, it should be understood by those 
skilled in the art that the foregoing and various other 
changes, omissions, and additions in the form and detail 
thereof may be made therein without departing from the 
scope of the present invention. 

[0178] The present invention may be embodied in a 
computer program. The computer program may be 
stored on a computer-readable medium, or it could, for 
example, be embodied in a signal such as a download- 
able data signal provided from an Internet web site. The 
appended computer program claims are to be interpret- 
ed as covering a computer program by itself, or as a 
record on a carrier, or as a signal, or in any other form. 



Claims 

1. An information terminal unit used for distributing a 
license for encrypted content between users, the in- 
formation terminal unit comprising: 

first storing means for storing a license for an 
encrypted content; 

second storing means for storing a generation 
log of an offline license; and 
license agent means for generating an offline 
license with a license for an encrypted content, 
generating a license for an encrypted content 
with the offline license, storing the generated 
license for the encrypted content to the first 
storing means, creating or updating a genera- 



4. The information terminal unit as set forth in claim 1 , 
2 or 3, 

wherein the license agent means can gener- 
ate the same offline license without a risk of which 
25 copies of the license that are used by users are gen- 
erated. 

5. The information terminal unit as set forth in any of 
claims 1 to 4, 

30 wherein the license agent means uses the 

generation log so as to prevent a license that has 
been transferred from being stored again when an 
offline license is received. 

35 6. An information terminal unit used for receiving a li- 
cense for a content that is multicast using an en- 
crypted broadcast signal to a plurality of subscrib- 
ers, the information terminal unit comprising: 

40 storing means for storing a license for a con- 

tent; and 

license agent means for generating a license 
for a content with a received offline license and 
storing the generated license to the storing 
45 means, 

wherein offline licenses for all subscribers are 
placed in the broadcast signal at predetermined in- 
tervals, and 

so wherein a license for allowing an encrypted 

broadcast signal to be referenced with an offline li- 
cense corresponding to the information terminal 
unit. 

55 7. The information terminal unit as set forth in claim 6, 
wherein the storing means and the license 
agent means are disposed in a TRM area. 
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8. A method for distributing a license for an encrypted 
content between users using information terminal 
units, the method comprising the steps of: 

storing a license for an encrypted content to 5 
first storing means; 

generating an offline license with the stored li- 
cense for the encrypted content; 
generating or updating a generation log of the 
offline license and storing the generation log to 
second storing means; and 
transmitting the offline license to another infor- 
mation terminal unit. 

9. A method for distributing a license for an encrypted 
content between users using information terminal 
units, the method comprising the steps of: 

receiving an offline license from another infor- 
mation terminal unit; 

generating a license for an encrypted content 
with the received offline license; 
storing the generated license to first storing 
means; and 

generating or updating a generation log for the 
offline license and storing the generated or up- 
dated generation log to second storing means. 

10. The method as set forth in claim 8 or 9, 

wherein the offline license generating step is 
performed by license agent means of each of the 
information terminal units, the offline license gener- 
ating step including exchanging the offline license 
between the information terminal units. 

11. The method as set forth in claim 10, 

wherein when the license generating step is 
performed, the license agent means uses the gen- 
eration log so as to prevent a license that has been 
transferred from being stored again. 

12. A method for distributing a license for a content that 
is multicast using an encrypted broadcast signal to 
a plurality of subscribers, the method comprising 
the steps of: 

receiving a broadcast signal, offline licenses of 
all subscribers having been inserted into the 
broadcast signal at proper intervals; 
extracting an offline license corresponding to 
an information terminal unit of a relevant sub- 
scriber from the broadcast signal: and 
generating a license for allowing the broadcast 
signal to be referenced with the extracted of- 
fline license. 

13. A method for distributing a license for a content that 
is multicast using an encrypted broadcast signal to 



a plurality of subscribers, the method comprising 
the steps of: 

encrypting a broadcast signal; and 
inserting offline licenses corresponding to all 
subscribers into the broadcast signal at proper 
intervals, the offline licenses being used to gen- 
erate licenses for allowing the encrypted broad- 
cast signal to be referenced. 

14. A program for causing an information terminal unit 
to perform a method for distributing a license for an 
encrypted content between users using information 
terminal units, the method comprising the steps of: 

storing a license for an encrypted content to 
first storing means, 

generating an offline license with the stored li- 
cense for the encrypted content; 
generating or updating a generation log of the 
offline license and storing the generation log to 
second storing means; and 
transmitting the offline license to another infor- 
mation terminal unit. 

15. A program for causing an information terminal unit 
to perform a method for distributing a license for an 
encrypted content between users using information 
terminal units, the method comprising the steps of: 

receiving an offline license from another infor- 
mation terminal unit; 

generating a license for an encrypted content 
with the received offline license; 
storing the generated license to first storing 
means; and 

generating or updating a generation log for the 
offline license and storing the generated or up- 
dated generation log to second storing means. 

16. A record medium on which a program has been 
stored, the program causing an information terminal 
unit to perform a method for distributing a license 
for an encrypted content between users using infor- 
mation terminal units, the method comprising the 
steps of: 

storing a license for an encrypted content to 
first storing means; 

generating an offline license with the stored li- 
cense for the encrypted content; 
generating or updating a generation log of the 
offline license and storing the generation log to 
second storing means; and 
transmitting the offline license to another infor- 
mation terminal unit. 

17. A record medium on which a program has been 
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stored, the program causing an information terminal 
unit to perform a method for distributing a license 
for an encrypted content between users using infor- 
mation terminal units, the method comprising the 
steps of: 5 

receiving an offline license from another infor- 
mation terminal unit; 

generating a license for an encrypted content 
with the received offline license; w 
storing the generated license to first storing 
means: and 

generating or updating a generation log for the 
offline license and storing the generated or up- 
dated generation log to second storing means. '5 
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